ZOOM’s flawed encryption routing video conference call keys linked in China: Reports

The Zoom video meeting and chat app has become the wildly popular host to millions of people working and studying from home during the coronavirus outbreak. (Photo by Olivier DOULIERY / AFP)


US-based video meeting app Zoom is extremely popular, particularly in these difficult times. However, the app has courted serious, well-known weaknesses. The fresh one comes from researchers at the University of Toronto.

It says the app sometimes using keys issued by servers in China, even when meeting participants are all in North America. Zoom appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software.

“Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities,’ said the team.

During its analysis, the security researchers also identified a security issue with Zoom’s Waiting Room feature.

“Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused,” the team said in a detailed statement on Friday.

While the mainline Zoom app (zoom.us) was reportedly blocked in China in November 2019, there are several third-party Chinese companies that sell the Zoom app within China (zoom.cn, zoomvip.cn, zoomcloud.cn).

Citizen Lab said it has initiated a responsible disclosure process with Zoom over Waiting Room vulnerability.

“We hope that the company will quickly act to patch and provide an advisory. In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms”.

The rapid uptake of teleconference platforms such as Zoom, without proper vetting, potentially puts trade secrets, state secrets, and human rights defenders at risk.

“Companies and individuals might erroneously assume that because a company is publicly listed or is a major household name, that this means the app is designed using security best practices. As we showed in this report, that assumption is false,” said Citizen Lab.

A TechCrunch report said on Saturday that Zoom “mistakenly” allowed two of its Chinese data centers to accept calls as a backup in the event of network congestion.

“During normal operations, Zoom clients attempt to connect to a series of primary data centers in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform,” explained Zoom Founder and CEO Eric Yuan.

Yuan has already apologized for the privacy and security issues or “Zoom-bombing” being reported in his app that has seen a surge in usage globally as people work from home during lockdowns.

Slammed for the lack of users privacy and security by the US Federal Bureau of Investigation (FBI) and cybersecurity experts, reports claimed this week that the video conferencing app Zoom is also prone to hacking.

The Zoom CEO said that over the next 90 days, the company is committed to dedicating the resources needed to better identify, address, and fix issues proactively to “maintain your trust”.

In March this year, the user base on Zoom reached more than 200 million daily meeting participants, both free and paid.